Why IT Security Alone Won't Cut It: Insights on OT Security from Lee Barney of TPG
Corinium’s Maddie Abe engaged with Lee Barney, GM Tech Security at TPG Telcom about Operational Technology (OT) security.
As cyber threats evolve, OT security is rapidly emerging as a critical priority. With OT systems becoming more connected to IT networks, they face new vulnerabilities that could disrupt operations and endanger safety. This growing convergence is driving governments and organisations to recognise the urgent need for specialised security measures beyond traditional IT frameworks. With the recent Cyber Security Bill 2024, investment in OT security is set to surge as industries prioritise the protection of their most vital infrastructure.
Traditional IT Security vs OT Systems
When asked why IT security measures can't simply be applied to OT systems, Lee Barney didn’t mince words. “There are lessons to be learned from IT security, particularly in governance,” he explained. “But the tools and controls designed for IT, such as Endpoint Detection and Response tools, won’t work on OT systems. It’s a simple fact that OT systems are not IT systems, so the controls that you deploy won’t be the same.”
This distinction underscores a fundamental challenge in OT security: adapting tried-and-tested IT strategies to a world with different operational priorities and constraints.
Balancing Frameworks and Flexibility
Another challenge lies in balancing IT-focused cyber security frameworks with the specific needs of OT environments.
“There’s nothing wrong with using IT frameworks,” Barney clarified. “But you need to adapt them based on the purpose of the controls in the first place. Understanding this is key to identifying the right framework and applying it effectively.”
This flexibility extends to incident response. Barney’s approach ensures that OT security is not an afterthought. His team takes a unified approach.
“We don’t distinguish between OT and IT systems. OT systems are part of our playbooks and operating procedures, just like IT and network systems,” he said. “As a regulated industry, we are required by law to have an Incident Response Plan, and that includes OT.”
Ensuring OT security isn’t relegated to the sidelines of broader cyber security plans requires deliberate strategy and structure. For Barney, the solution is integration.
“IT, Networks, and OT are all integrated within Technical Security under one reporting line,” he shared. “Resources and funds are allocated based on need, aligned with our plan. This is overseen by one senior executive—me.”
By bringing these elements together, the company ensures that OT security remains a priority and is fully incorporated into their cyber security response.
Misconceptions in OT Security
In the IT world Confidentiality is generally the highest priority, data would be encrypted preventing unauthorized access, signing to ensure Integrity and high availability measures in place for core systems only.
One of the most common misconceptions about OT security is the belief that confidentiality is paramount. “For OT systems, the most important parts of the triad are availability and integrity. Confidentiality can play a role, but it’s not always the priority,” he explained.
Changing this mindset, he believes, starts with communication. “The only way to address this misconception is to change the way we talk about OT security,” he added.
Engaging the Board
One of the keys to advancing OT security is ensuring senior management and boards understand its unique risks and challenges. Barney highlighted the importance of framing discussions in terms that resonate with decision-makers.
“Look at the things the board cares about and tie it to that. If they care about risk reduction, tie it to risk. If they focus on regulation and compliance, follow that path,” he advised. “Having a board and executive team that understands and cares about security in all its forms is crucial.”
Future Challenges and Opportunities
Looking ahead, Barney identified government legislation as both the biggest challenge and opportunity for OT security.
“It all depends on how the government picks up legislation around OT and integrates it into existing legal frameworks,” he said. “That will shape the future of this field significantly.”
As OT systems continue to underpin critical infrastructure and industrial operations, the need for tailored security approaches has never been greater. Barney’s insights serve as a compelling reminder that IT security alone won’t cut it—organisations must evolve their strategies to address the unique demands of OT environments.
Don’t miss the opportunity to hear more from Lee Barney at OT Security Sydney 2025 on 11 February at Royal Randwick Racecourse.
If you would like to share your experience and insights at the event, feel free to reach out to Maddie Abe.
